Setting Granular Security in ProjectWise Administrator
Any user who is a member of the Administrator group has access to, and full control over, all datasource nodes in ProjectWise Administrator. No user who is a member of this group can ever be restricted from having access to any datasource node in ProjectWise Administrator.
If you want to let certain users manage only certain datasource nodes without adding them to the Administrator group, you can do so by adding them to the Restricted Administrator group, and then granting them access to particular datasource nodes in ProjectWise Administrator as needed. This is referred to as granular security.
The Restricted Administrator group is created along with the main Administrator group when the datasource is created. By default the Restricted Administrator group has no members. After creating the datasource, add users to the Restricted Administrator group as needed, then give those users access to the datasource node or nodes you want to let them manage. This is done by adding the user to the Granular Security tab that exists on the Properties dialog for each datasource node. You can give users in the Restricted Administrator group access to as few or as many datasource nodes as you need. You can also give users in the Restricted Administrator group access to the main datasource node, to manage datasource properties and settings if necessary.
The following security options can be set for a Restricted Administrator on each datasource node in ProjectWise Administrator, including the main datasource node itself:
- Full control - Turns on the Change Permissions and Change Settings options.
- Change permissions - If on, the specified user can add users to or remove users from the node and set permissions as needed.
- Change settings - If on, the specified user can work with this node, just the same as any member of the Administrator group.
- No access - If on, the node is hidden from display when the specified user logs in to the datasource.
Add users to the Restricted Administrator group
- Go to the Groups node and open the Properties dialog for the Restricted Administrator group (right-click the Restricted Administrator group and select Properties).
- On the Members tab, click Add.
- In the Select Users
dialog, select the users to add and click
OK.
The selected users are added to the Members tab.
- Click OK on the Restricted Administrator Properties dialog.
Set the access for a particular datasource node
- Open the Properties dialog for any datasource node (right-click the node and select Properties).
- On the Granular Security tab, click Add.
- In the Select Security
Objects dialog, select one or more users who are members of the Restricted
Administrator group and click
OK.
You can also just select the Restricted Administrator group, if you want everyone in the group to have access.
- Select one of the users
you added from the
Users list, then in the
Permissions list, set the level of access you
want the selected user to have for this datasource node.
- If you want the user
to have full access, turn on
Full control. This turns on both Change
Permissions and Change Settings.
With these permissions, this user will see this datasource node when they log in, and they will be able to create, modify, and delete items in it, and they will also be able to modify the granular security settings for this node.
- If you want the user
to have partial access, turn on
Change settings and turn OFF
Change Permissions.
With these permissions, this user will see this datasource node when they log in, and they will be able to create, modify, and delete items in it, but they will not be able to set security on the node.
- If you want all but one member of the Restricted Administrator group to have access, give the Restricted Administrator group the necessary access (Full control or Change settings), then explicitly add the group member you want to exclude and give that user No access.
- If you want the user
to have full access, turn on
Full control. This turns on both Change
Permissions and Change Settings.
- Click OK.
Notes on Restricted Administrators and Granular Security
- No user who is a member of the Administrator group can ever be restricted from having access to any datasource node in ProjectWise Administrator.
- A Restricted Administrator can never delete or modify the Administrator group, or modify Administrator group membership, even if the Restricted Administrator has full control over the Groups node.
- A Restricted Administrator cannot modify the user setting, Use access control, for any user, including themselves, even if the Restricted Administrator has full control over the Users node. Only a member of the Administrator group can modify this user setting.
- You can add the entire Restricted Administrator group to a node's Granular Security tab if necessary.
- You can add one or more users to the Restricted Administrator group, then create a group or user list and add those same users to it, then add the group or user list (rather than the individual users) to the node's Granular Security tab.
- When a user and a group (or user list) which happens to include the user are assigned differing granular security permissions to the same node, then whatever permissions are set for the user individually will be applied when they log in, rather than those of the group or user list.
- When two or more groups (or user lists, or a mix of both) are assigned differing granular security permissions to the same node, and each object shares some users, then the user will inherit the granular security permissions of whichever object has the more restrictive permissions.